MALICIOUS
110
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.003 Command and Scripting Interpreter: Windows Command Shell
The sample contains DDE fields that are chained together to execute a command. The decoded command payload indicates the execution of 'c:\Windows\System32\cmd.exe /c taskkill /f winword.exe&powershell.exe', which attempts to terminate Microsoft Word and then execute PowerShell. This indicates an attempt to exploit the DDE functionality for arbitrary command execution.
Heuristics 4
-
Field QUOTE with ASCII-integer command payload critical OOXML_FIELD_QUOTE_ASCII_PAYLOADQUOTE field in word/footer2.xml carries a decimal-ASCII byte sequence that decodes to a shell command referencing cmd
-
Word field-chain (SET/REF) co-located with DDE high OOXML_FIELD_SET_REF_CHAINING3 SET/REF variable pair(s) co-occur with DDE field(s) in word/footer2.xml
-
DDE field low OOXML_DDEDDE (Dynamic Data Exchange) field found in word/footer2.xml. The command does not reference a known-dangerous executable, but DDE can be abused for code execution.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://lokipanelhostingpanel.gq/work/1.exe In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2015/9/8/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
Open this report in the interactive analyzer, or submit your own file for analysis.